When Smarter Is Not Always Safer: the Cybersecurity of the Electric Grid

When Smarter Is Not Always Safer: the Cybersecurity of the Electric Grid

November 2, 2018

“An increased reliance on electricity combined with new production methods and structural changes in the grid pose new challenges in guaranteeing stable and affordable access to electricity. These structural changes imply the integration of ‘smart’ control systems, which often rely on internet connections. Yet, considering the rapid development of malicious activities in the cyber domain, a smarter grid is not always safer.“

In 2015, representatives of 196 state parties negotiated the Paris Agreement, whose focal point was to limit global warming to below 2 °C, but preferably below 1.5 °C. The Intergovernmental Panel on Climate Change published a new report in October 2018. This report calls for urgent action to phase out fossil fuels by outlining the disastrous impacts of global warming that could be avoided by limiting global warming to 1.5 °C compared to 2 °C [1]. The need to phase out fossil fuels is well acknowledged, but this transition opens up a whole new range of hurdles to overcome. An increased reliance on electricity combined with new production methods and structural changes in the grid pose new challenges in guaranteeing stable and affordable access to electricity. These structural changes imply the integration of ‘smart’ control systems, which often rely on internet connections. Yet, considering the rapid development of malicious activities in the cyber domain, a smarter grid is not always safer.

Phasing out the use of fossil fuels requires the intensified use of alternative sources of energy. Among the largest sources of renewable energy are wind and solar-power. This production takes place on both the industrial and household levels, for example on large solar farms as well as individual solar panels on rooftops. This development means that electricity is now ‘injected’ in the grid from multiple entry-points: both in the ‘traditional’ top-down direction, as well as in bottom-up processes. However, in the absence of (economically viable) large-scale electricity storage capacity, the grid has to be perfectly balanced at all times: input and output have to be equal. This balancing act becomes increasingly difficult due to several reasons. One is the aforementioned multidirectional injection of electricity into the grid. Another reason is the intermittent production nature of renewable energy sources; solar and wind energy are only produced when the sun shines and the wind blows, and therefore are difficult to regulate.

Properly regulating and balancing the grid requires the collection of large amounts of data about the production and consumption of energy. This is often done through Supervisory Control and Data Acquisition systems (SCADA systems) – these are control systems installed on remote places in the electricity grid. SCADA systems have a dual function. First, they gather data about energy flows and send this data to a central command centre. Second, they execute control commands that they receive from the centre with the purpose of keeping the grid balanced and thus operational [2] [3]. These SCADA systems sometimes referred to as SMART systems (Self-Managing and Reliable Transmission systems), are credited with increasing efficiency and enabling the integration of ‘irregular’ production methods [4]. However, they are also more vulnerable to hackers.

The exchange of data and commands between a SCADA system and the central command centre frequently takes place through an internet connection. Such connections, especially wireless ones, make a system easier to target. Therefore, the risk that external actors gain access to control systems is larger. Subsequently, if a hacker manages to take control and disconnect the system, it can take longer for the grid regulators to regain control because such SCADA systems are often placed in remote locations. By accessing control systems and using this access for disrupting command structures, hackers can disrupt the balance of the grid and ultimately even cause blackouts. This, for example, happened in 2015, when hackers managed to gain access to a remote substation in Ukraine and rendered it inoperable and again in 2016 when Ukrainian Industrial Control systems were hacked [5] [6].

In the context of an increased reliance on electricity, to enable our shift away from fossil fuels, it is safe to conclude that the stable functioning of the electricity grid is of paramount importance. Additionally, the strategy of the European Energy Union heavily relies on the future development of the electricity sector. Integration and standardization of electricity control systems might streamline cross-country energy flows and stimulate the development of a truly interconnected market, but could also render it more vulnerable. If you figure out how to hack one, you know how to hack all of them. Ultimately, we can conclude that a smarter grid is not always a safer grid.